diff --git a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log
new file mode 100644
index 00000000..3583f449
--- /dev/null
+++ b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:34a11765788b8f38d9a7d499eeeac5f5ea8acd6e5a81af7cf3ebf8bd4a3e01c9
+size 175659
diff --git a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log
new file mode 100644
index 00000000..29c0e2dd
--- /dev/null
+++ b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:33dd77a4ea6bf85eaab9a244085f0e6f3fc79a191dfaa3b50357d9e229ab46e9
+size 1998
diff --git a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml
new file mode 100644
index 00000000..c3261d25
--- /dev/null
+++ b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml
@@ -0,0 +1,15 @@
+author: Steven Dick
+id: 986d1ac2-f76a-48d8-b3af-bf76dc4e80a4
+date: '2025-01-20'
+description: 'Sample of events when an actor compromises a mailbox and conducts certain suspect activities such as email hard deletes, exfiltration, or password/banking information changes.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log
+sourcetypes:
+- o365:management:activity
+- o365:reporting:messagetrace	
+references:
+- https://attack.mitre.org/techniques/T1114/
+- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf
+- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack
\ No newline at end of file